Attack Turns Android Devices Into Spam-Spewing Botnets

From an attacker's perspective, malware doesn't need to be elegant or sophisticated; it just needs to work.

That's the ethos behind a recent spate of Trojan applications designed to infect smartphones and tablets that run the Android operating system, and turn the devices into spam-SMS-spewing botnets.

By last week, the malware was being used to send more than 500,000 texts per day. Perhaps appropriately, links to the malware are also being distributed via spam SMS messages that offer downloads of popular Android games--such as Angry Birds Star Wars, Need for Speed: Most Wanted, and Grand Theft Auto: Vice City--for free.

Despite the apparent holiday spirit behind the messages, however, it's just a scam. "If you do download this 'spamvertised' application and install it on your Android handset, you may be unknowingly loading a malicious software application on your phone which will induct your handset into a simple botnet, one that leverages the resources of your mobile phone for the benefit of the malware's author," according to an overview of the malware written by Cloudmark lead software engineer Andrew Conway.

The malware in question uses infected phones "to silently send out thousands of spam SMS messages without your permission to lists of victim phone numbers that the malware automatically downloads from a command and control server," said Conway. Of course, the smartphone owner gets to pay any associated SMS-sending costs.

An earlier version of the malware was discovered in October, disguised as anti-SMS spam software, but it remained downloadable for only a day. "Apparently using SMS spam to promote a bogus SMS spam blocking service was not an easy sell," said Conway. Subsequently, the malware was repackaged as free versions of popular games, and the malware's creator now appears to be monetizing the Trojan by sending gift card spam of the following ilk: "You have just won a $1000 Target Gift Card but only the 1st 777 people that enter code 777 at [redacted website name] can claim it!"

As with the majority of Android malware, the malicious apps can be downloaded not from the official Google Play application store, but rather from third-party download sites, in this case largely based in Hong Kong. In general, security experts recommend that Android users stick to Google Play and avoid third-party sites advertising supposedly free versions of popular paid apps, since many of those sites appear to be little more than "fakeware" distribution farms. But since Android users are blocked from reaching Google Play in some countries, including China, third-party app stores are their only option.

After installing the malware and before it takes hold, a user must first grant the app numerous permissions -- such as allowing it to send SMS messages and access websites. Only then it can successfully transform the mobile device into a spam relay. Of course, people in search of free versions of paid apps may agree to such requests. Furthermore, "not many people read the fine print when installing Android applications," said Conway.

If a user does grant the malware the requested permissions, it will transform their Android device into node, or zombie, for the malware creator's botnet. At that point, the malware immediately "phones home" to a command-and-control server via HTTP to receive further instructions. "Typically a message and a list of 50 numbers are returned," said Conway. "The zombie waits 1.3 seconds after sending each message, and checks with the C&C server every 65 seconds for more numbers."

Again, the Android malware used to build the accompanying SMS-spewing botnet isn't sophisticated, but it does appear to be earning its creator money. "Compared with PC botnets this was an unsophisticated attack," said Conway. "However, this sort of attack changes the economics of SMS spam, as the spammer no longer has to pay for the messages that are sent if he can use a botnet to cover his costs. Now that we know it can be done, we can expect to see more complex attacks that are harder to take down."

Your employees are a critical part of your security program, particularly when it comes to the endpoint. Whether it's a PC, smartphone or tablet, your end users are on the front lines of phishing attempts and malware attacks. Read our Security: Get Users To Care report to find out how to keep your company safe. (Free registration required.)

These types of scams are fairly rudimentary, but worrisome: when these attacks become more convincing and sophisticated, the Android platform could provide the bad guys massive numbers of prospective bots.

Published: 2015-03-31The build_index_from_tree function in index.py in Dulwich before 0.9.9 allows remote attackers to execute arbitrary code via a commit with a directory path starting with .git/, which is not properly handled when checking out a working tree.